Abstract
Cryptographic libraries often feature multiple implementations of primitives to meet both the security needs of handling private information and the performance requirements of modern services when the handled information is public. OpenSSL, the de-facto standard free and open source cryptographic library, includes mechanisms to differentiate the confidential data and its control flow, including run-time flags, designed for hardening against timing side-channels, but repeatedly accidentally mishandled in the past. To analyze and prevent these accidents, we introduce Triggerflow, a tool for tracking execution paths that, assisted by source annotations, dynamically analyzes the binary through the debugger. We validate this approach with case studies demonstrating how adopting our method in the development pipeline would have promptly detected such accidents. We further show-case the value of the tooling by presenting two novel discoveries facilitated by Triggerflow: one leak and one defect.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
References
Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77272-9_12
Aldaya, A.C., Brumley, B.B., ul Hassan, S., Pereida GarcĂa, C., Tuveri, N.: Port contention for fun and profit. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, Proceedings, San Francisco, California, USA, 20–22 May 2019, pp. 1037–1054. IEEE (2019). https://doi.org/10.1109/SP.2019.00066
Aldaya, A.C., Pereida GarcĂa, C., Alvarez Tapia, L.M., Brumley, B.B.: Cache-timing attacks on RSA key generation. IACR Cryptology ePrint Archive 2018(367) (2018). https://eprint.iacr.org/2018/367
Allan, T., Brumley, B.B., Falkner, K.E., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: Proceedings of 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 422–435. ACM (2016). http://doi.acm.org/10.1145/2991079.2991084
Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 53–70. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida
Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of self-composition for proving the absence of timing channels. In: Proceedings 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, 18–23 June 2017, pp. 362–375. ACM (2017). https://doi.org/10.1145/3062341.3062378
Balakrishnan, G., Reps, T.W.: WYSINWYX: what you see is not what you execute. ACM Trans. Program. Lang. Syst. 32(6), 23:1–23:84 (2010). https://doi.org/10.1145/1749608.1749612
Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah... Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_5
Blazy, S., Pichardie, D., Trieu, A.: Verifying constant-time implementations by abstract interpretation. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 260–277. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_16
Bond, B., et al.: Vale: verifying high-performance cryptographic assembly code. In: 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 917–934. USENIX Association (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/bond
Brotzman, R., Liu, S., Zhang, D., Tan, G., Kandemir, M.: CaSym: cache aware symbolic execution for side channel detection and mitigation. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, Proceedings, San Francisco, California, USA, 20–22 May 2019, pp. 364–380. IEEE (2019). https://doi.org/10.1109/SP.2019.00022
Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_39
Brumley, B.B., Tuveri, N.: Cache-timing attacks and shared contexts. In: Constructive Side-Channel Analysis and Secure Design - 2nd International Workshop, COSADE 2011, Darmstadt, Germany, 24–25 February 2011. Proceedings, pp. 233–242 (2011). https://tutcris.tut.fi/portal/files/15671512/cosade2011.pdf
Cauligi, S., et al.: Fact: a flexible, constant-time programming language. In: IEEE Cybersecurity Development, SecDev 2017, Cambridge, MA, USA, 24–26 September 2017, pp. 69–76. IEEE Computer Society (2017). https://doi.org/10.1109/SecDev.2017.24
Chen, J., Feng, Y., Dillig, I.: Precise detection of side-channel vulnerabilities using quantitative Cartesian Hoare logic. In: Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 875–890. ACM (2017). https://doi.org/10.1145/3133956.3134058
Doychev, G., Köpf, B.: Rigorous analysis of software countermeasures against cache attacks. In: Proceedings of 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, 18–23 June 2017, pp. 406–421. ACM (2017). https://doi.org/10.1145/3062341.3062388
Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: Cacheaudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015). https://doi.org/10.1145/2756550
Gridin, I., Pereida GarcĂa, C., Tuveri, N., Brumley, B.B.: Triggerflow. Zenodo, April 2019. https://doi.org/10.5281/zenodo.2645805
Guarnieri, M., Köpf, B., Morales, J.F., Reineke, J., Sánchez, A.: SPECTECTOR: principled detection of speculative information flows. CoRR abs/1812.08639 (2018). http://arxiv.org/abs/1812.08639
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, Proceedings, San Francisco, California, USA, 20–22 May 2019, pp. 19–37. IEEE (2019). https://doi.org/10.1109/SP.2019.00002
Langley, A.: ctgrind–checking that functions are constant time with Valgrind (2010). https://github.com/agl/ctgrind
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 973–990. USENIX Association (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
Maimuţ, D., Murdica, C., Naccache, D., Tibouchi, M.: Fault attacks on projective-to-affine coordinates conversion. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 46–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40026-1_4
Naccache, D., Smart, N.P., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_16
Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, Canada, 13–14 May 2005, Proceedings (2005). http://www.daemonology.net/papers/cachemissing.pdf
Pereida GarcĂa, C., Brumley, B.B.: Constant-time callees with variable-time callers. In: 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 83–98. USENIX Association (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/garcia
Pereida GarcĂa, C., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time. In: Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1639–1650. ACM (2016). http://doi.acm.org/10.1145/2976749.2978420
van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_1
Reparaz, O., Balasch, J., Verbauwhede, I.: Dude, is my code constant time? In: Design, Automation & Test in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland, 27–31 March 2017, pp. 1697–1702. IEEE (2017). https://doi.org/10.23919/DATE.2017.7927267
Rodrigues, B., Pereira, F.M.Q., Aranha, D.F.: Sparse representation of implicit flows with applications to side-channel detection. In: Proceedings of 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, 12–18 March 2016, pp. 110–120. ACM (2016). http://doi.acm.org/10.1145/2892208.2892230
Simon, L., Chisnall, D., Anderson, R.J.: What you get is what you C: controlling side effects in mainstream C compilers. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, 24–26 April 2018, pp. 1–15. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00009
Takarabt, S., Schaub, A., Facon, A., Guilley, S., Sauvage, L., Souissi, Y., Mathieu, Y.: Cache-Timing attacks still threaten IoT devices. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2019. LNCS, vol. 11445, pp. 13–30. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16458-4_2
Tuveri, N., ul Hassan, S., Pereida GarcĂa, C., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 147–160. ACM (2018). https://doi.org/10.1145/3274694.3274725
Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: Cached: identifying cache-based timing channels in production software. In: 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 235–252. USENIX Association (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai
Weiser, S., Spreitzer, R., Bodner, L.: Single trace attack against RSA key generation in Intel SGX SSL. In: Proceedings of 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, 04–08 June 2018, pp. 575–586. ACM (2018). http://doi.acm.org/10.1145/3196494.3196524
Weiser, S., Zankl, A., Spreitzer, R., Miller, K., Mangard, S., Sigl, G.: DATA - differential address trace analysis: finding address-based side-channels in binaries. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 603–620. USENIX Association (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/weiser
Wichelmann, J., Moghimi, A., Eisenbarth, T., Sunar, B.: MicroWalk: A framework for finding side channels in binaries. In: Proceedings of 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 161–173. ACM (2018). https://doi.org/10.1145/3274694.3274741
Wu, M., Guo, S., Schaumont, P., Wang, C.: Eliminating timing side-channel leaks using program repair. In: Proceedings of 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, Amsterdam, The Netherlands, 16–21 July 2018, pp. 15–26. ACM (2018). https://doi.org/10.1145/3213846.3213851
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 719–732. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
Acknowledgments
This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 804476).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A OpenSSL Commits
A OpenSSL Commits
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Gridin, I., Pereida GarcĂa, C., Tuveri, N., Brumley, B.B. (2019). Triggerflow: Regression Testing by Advanced Execution Path Inspection. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)